With the migration toward Internet Protocol (IP) over Ethernet especially in the Access Network, more and more network nodes (or network sites), especially remote network nodes, are protected by secure communications tunnels, such as IPsec tunnels (Internet Protocol Security tunnels), i.e. from the base station up to some centralized nodes or sites, where the security gateways, e.g. the Internet Protocol Security Gateways (IPsecGWs), are located. In larger networks several hundred up to a few thousand base stations or other network nodes might be connected to a pair of IPSecGWs. This also means that severe failure of security gateways (e.g. IPsecGW failure) or issues with the certificate handling might lead to large impact for the radio service.
Even when providing redundancy of security gateways, such as IPsecGW redundancy, as well as providing smart switch-over mechanisms or stateful switch-over mechanisms, there is a reasonable risk of severe failures of the cluster of security gateways, e.g. redundant IPsec cluster. And even an issue with respect to certificate handling might lead to the situation that all radio nodes are not longer allowed to setup secure communication tunnels to the security gateway, such as IPsec tunnels.
As also the management plane of the radio node shall be protected by the security mechanism, especially IPsec, loss of the functionality of the security mechanism (e.g. IPsec) means not only the loss of the radio service, but also the loss of remote management access to the radio nodes. That means the radio nodes cannot be switched back to non-security communication (e.g. non-IPsec communication) by an operator without site visit.
An automatic switch back of the radio nodes to non-security communication (e.g. non-IPsec) (i.e. in case the secure communication tunnel, such as the IPsec tunnel, cannot be established) is from security perspective not acceptable, as this might give a “man in the middle” the opportunity to disable the security measure.